OpenLDAP Configuration Files

OpenLDAP configuration files are installed into the /etc/openldap/ directory. The following is a brief list highlighting the most important directories and files:

NoteNote
 

If the nss_ldap package is installed, it will create a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. See the Section called Configuring Your System to Authenticate Using OpenLDAP for more information about this configuration file.

slapd.conf

In order to use the slapd LDAP server, you will need to modify its configuration file, /etc/openldap/slapd.conf. You must to edit this file to make it specific to your domain and server.

The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix          "dc=your-domain,dc=com"

so that it reflects your domain name. For example:

suffix          "dc=example,dc=com"

The rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value to something like the example below:

rootdn          "cn=root,dc=example,dc=com"

Change the rootpw line to something like the example below:

rootpw          {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u

In the rootpw example, you are using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file. To make this encrypted string, type the following command:

slappasswd

You will be prompted to type and then re-type a password. The program prints the resulting encrypted password to the terminal.

WarningWarning
 

LDAP passwords, including the rootpw directive specified in /etc/openldap/slapd.conf, are sent over the network in plain text unless you enable TLS encryption.

For added security, the rootpw directive should only be used if the initial configuration and population of the LDAP directory occurs over a network. After the task is completed, it is best to comment out the rootpw directive by preceding it with a pound sign (#).

TipTip
 

If you are using the slapadd command-line tool locally to populate the LDAP directory, using the rootpw directive is not necessary.

The /etc/openldap/schema/ Directory

The /etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in /etc/openldap/slapd.conf using include lines, as shown in this example:

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/rfc822-MailMember.schema
include		/etc/openldap/schema/autofs.schema
include		/etc/openldap/schema/kerberosobject.schema

CautionCaution
 

You should not modify any of the schema items defined in the schema files installed by OpenLDAP.

You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.conf by adding the following line below your default include schema lines:

include          /etc/openldap/schema/local.schema

Next, go about defining your new attribute types and object classes within the local.schema file. Many organizations use existing attribute types and object classes from the schema files installed by default and modify them for use in the local.schema file. This can help you to learn the schema syntax while meeting the immediate needs of your organization.

Extending schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Visit http://www.openldap.org/doc/admin/schema.html for information on writing new schema files.